Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Hit by Apple’s Crackdown on Messaging Feature (theinformation.com)
267 points by tareqak on Aug 6, 2019 | hide | past | favorite | 186 comments

I've noticed something sneaky about Facebook on my phone. I refuse to install their apps but I do use Facebook a bit so I use it via the phone Browser (in my case, Chrome on Android).

I've noticed that sometimes Facebook shows a fake 'youve got a message' icon to try and trick you into installing their messenger app.

To re-produce this behaviour: (this works best if you dont get a lot of facebook messages. Also you need a phone with no facebook apps installed)

- On your desktop PC, use facebook to send a message to someone

- Then switch to your phone, using facebook in the browser

- After about an hour, the little speechbubble message icon at the top will go red, showing you've got a message

- If you click on this from a phone browser, it redirects you to install messenger. (normally, phone-browser facebook doesnt do messenger features)

- Instead of that, switch on 'request desktop site' (not sure what iOS calls this option) to make your phone display the desktop version of facebook. And then you can (usually) read your messages in the browser

- But you will find that there is no new message, and the new message icon will no longer be lit up.

I've had this happen five or six times now - supposedly new messages have arrived but when you look there are none. It always happens about an hour after sending a message. I'm pretty convinced its deliberate behaviour on the phone browser version of facebook to get you to install their messenger app.

I suggest people using https://mbasic.facebook.com.

Messages work, no JavaScript, less noise.

Or bite the bullet and leave facebook. Your friends won’t vaporize.

Have you tried messenger.com from your browser?


Just went on it. On a browser you have to enable desktop mode for login to show.

Also if you login this way and disable desktop mode it forces you out. If you reenable it renders the chat. Theres no reason the chat wouldnt work on Mobile desktop mode isnt using a different browser just lying to the web server and frontend JS.

Amazing. I already rarely use Facebook as it is. I might just outright stop since they are dying to infest your phone so badly.

I actually believe part of it is that they rely on this editor[1] for the messenger and anyone who tries to use it on any device that supports IME (like phones) will find that it does not work at all.

[1] https://github.com/facebook/draft-js

Not so much that it doesn't work at all. More like, it appears to work and then fails horribly down the road.

I've been bitten by it too much. It's typically the auto-complete feature of mobile keyboards that fails. Something that you don't always see in emulators.

That's a library made by Facebook though... How odd, I doubt they don't have the resources to fix that problem in their own library.

This. This is what regulators should be concerned about.

I don't think it's an attempt to get you to install messenger so much as it's a cheap tactic to drive engagement, generally. I do have Messenger installed on a device, and it also shows unread notifications for conversations where I sent the last message, a bit (I've never timed how long) after the message was sent.

I assumed it was just some shitty dark pattern, that (enough) people are Pavlov-ing at unread notifications to pad their usage metrics nicely, because someone thought, "Let's poke people's brains to make the graphs look better!" or something. I mean, it is Facebook.

EDIT: Phrasing

In your case I have a different explanation. Displaying a notification and then having nothing to show for it weakens Facebook. People start thinking the notification is probably bogus and don't even click it. Maybe a short term boost, but very harmful in the long run.

So then, why do they do it? I think it's because Facebook is made up of many separate teams that are trying to get ahead of each other. Some team did this and had really positive short term numbers and that got them all promoted, and then they hope nobody is able to attribute the long term loss to their team. This is Facebook creating fake engagement to scam itself.

I use mbasic.facebook.com on my phone (since there is no messenger on facebook's mobile site). Reading messages on mbasic doesn't remove the "new messages" notification from the regular website. That is to say, this might also be a technical issue, i.e they keep state of "messages read" per front-end.

And, of course, it's an engagement thing probably, too.

To be honest it seems like a bug (which is totally not uncommon with fb)

I've actually uninstalled the fb app because it was more buggy than using the mobile site.

It seems that notification doesn't get cleared for a while in the mobile site. Since the messenger app does notify of new messages and the notification does get cleared (on the app) once you read it, something is not right on the backend.

FWIW this has never happened to me.

It also strikes me as suboptimal even as a "dark pattern": Clicking on conversations when you have the app open already, and not seeing new messages you expect, is frustrating without any conceivable payoff for Facebook. The pattern mentioned above–the app icon showing activity, which gets you to open the app–seems far more plausible.

I've seen in happen, particularly when switching between devices (there are times when this means I'm switching network completely, not just between devices on the same LAN) so I've assumed it is an artifact of "eventually consistency" between Facebook's many clusters and frontend nodes.

Bookmark https://mbasic.facebook.com to get the messenger features in a readable format on smaller screens.

You beat me to it. I refuse to install the app and consistently see the fake notification. I like the smaller images too, easier to view the feed at a glance.

There are also extensions for Firefox that disable the messenger redirect and let you use the chat interface on the normal mobile site.

I had that icon too and was confused because I couldn’t find any message. On the desktop Facebook site it turned out I did have a new message from someone who wasn’t a Friend. I changed the settings to disallow messages from people who aren’t friends. And never had the issue again. But I just checked and I can’t find that setting now...

The exact same thing happens to me. Hate their messenger app too. The bad UI makes it so easy to send a message to the wrong person, and the app feels so slow and sluggish overall.

How can you easily send a msg to the wrong person?

This is absolutely a dark pattern. I sometimes install the FB app if I need to check something, but NEVER the messaging app. And the FB app will always claim I have 5 or so messages... Which of course is never actually true.

I have messenger installed and I see the same. Honestly I think in this case it is only development team incompetence doing cache invalidation properly.

Yeah, this is my theory too. I use Tinfoil for Facebook on Android, and it shows I have 15 unread messages. Basically, every time I open Tinfoil while I have a new message I haven't read in Messenger, it increments, and that never gets cleared. If they were trying to drive engagement or to get you to install Messenger, why would they want the number to keep increasing well after you've caught onto the trick?

Did you add any friends lately? Do you know those "greetings" that Facebook pushes into Messenger whenever you add a new friend on Facebook?

I've recently noticed on my SO's phone that Messenger counts them as "unread messages", and the only way to clear them is to a) send that greeting, or b) clear them from a desktop.

In other words, they're getting pretty desperate to drive the engagements up, and this is something that probably wasn't implemented in third-party clients.

Note that this is different than a "message" on a mobile browser. Last time I've checked (admittedly, quite some time ago), there was one "message" that never gets cleared, regardless of what you do.

The "message" you see the notification for is the one from Facebook telling you how super great Messenger is and how you should join your 327 friends who already installed it. Then the notification arguably-correctly goes away once you've seen the upsell message.

I think simply ever having used Messenger does that - mine never shows up otherwise, even if I’ve just cleared out my messages. It reminds me of the dark pattern which got me to uninstall Messenger, where they’d send push notifications with fake alerts from your friends which when opened were simply telling you that the other person had Messenger.

The net effect is that I uninstalled all of their apps and only use https://mbasic.facebook.com/ a few times a month

I don't think it's intentional. Facebook has had this bug for several years. Interestingly one of the reasons they created react/flux was to fix it: https://youtu.be/nYkdrAPrdcw (15 minute mark)

We had our most annoying chat bug happen over and over. Users would get an unseen count and there would be no unseen messages behind it. And everyone's sort of used to seeing one of these numbers, click on it, you get something new behind it. That's exciting. But when they get that number, they click and there's nothing there, or they refresh the page and it's gone, that's really annoying. That's really frustrating... And it wasn't like we wouldn't fix the problem. We would always fix some particular edge case. But this problem would keep coming back just because the whole system was fragile.

2014. And still not fixed. Either flux/react does not automatically fix the problem, or the fix never made it to the app. Or dark patterns.

Well the notification icons still don't retain state no matter what device I'm on, as in, I can check my notifications, determine that nothing exciting happened, and open the app 10 minutes later and have a red icon for the same notifications.

Sometimes I wonder what 1,000 programmers do all day

I’ve noticed the same with their notifications. As of right now, I have 1 notification. I will open the menu and see there’s not actually anything there. The badge then goes away. Refresh the page and it’s there again despite not having any notifications

Their fake notifications alone are one reason to despise them.

And there's so much more.

I have the same setup as you and can confirm this. If I go to facebook.com from my browser, it will always show 1 unread message even though there isn't one. It's pretty annoying.

Facebook isn't the only company to do this. I have a very,once in a blue moon, Twitter account. On the rare ocassion that I open the app, you can be sure that I'll get the red notification bubble soon after I stop using it. Open the app and are there any DMs or notifications? Nope. This pattern has happened enough times over the past few years that I finally got fed up and turned off notifications entirely last week.

All these Apps now seem to do evil things to drive engagement; for example you get notifications via app icon, email, inside the app and via push notifications all at different times so for one message you might end up interacting 3+ times which can be highly irritating. It seems like buggy software but it’s actually just making you go back to your apps more often.

This reminds me of the way Amazon will try to get you to go to smile.amazon.com when you follow an afilliate link to amazon.com.

I get something like this but on Instagram. I get a badge on Instagram saying that I have pending notifications on Facebook and there's an "Open Facebook" item in the Settings menu of the Instagram app.

Mine is currently in this state. I want aware it ever stopped.

I constantly have 4 unread messages in FB messenger(as shown on the main FB page) even though there are none. It's been like this for months.

Check your spam folder, yes FB has something like this for messages.

I have, there is nothing, not in the spam, not in the messages from unknown people, there just aren't 4 unread messages anywhere, yet the notification persists.

You can use the “request desktop version” feature on Safari and it’ll render fbook still in mobile mode but messages will be available.

I've noticed it for quite some time and thought exactly the same thing.

LinkedIn does this too.

(I worked at FB, but not on this.)

It's probably a bug. I use the FB apps on Android and Chrome on Win/Mac, and sometimes the notification thing goes out of sync and is stuck on "1" for a few days, and nothing seems to help. Then eventually it goes away. I'm 99.99% sure this is a some cache/consistency bug and not a trick. It's super annoying when it happens to me.

> “To be clear—we are using the PushKit VoIP API to deliver a world-class, private messaging experience, not for the purpose of collecting data."

I think we must be at the point where it's arguably irresponsible journalism for The Information to broadcast a claim like that from Facebook without immediately pointing out the occasions in the past when identical claims about data collection have turned out to be barefaced lies. Not every reader is going to have that context when reading the article, and they need to be equipped with the appropriate skepticism.

I'm not saying we need to dredge up the 90s any time Microsoft speaks publicly about open source. But the Facebook thing is an ongoing issue, and it hasn't been that long since their absolute worst abusive behavior, and there's been no change in management since then. I think it's reasonable that any quote from Facebook denying privacy abuses should be positively dripping with disclaimers.

(By the way, I'm loving the articles from The Information when they hit HN. Quality content.)

> "I think we must be at the point where it's arguably irresponsible journalism for The Information to broadcast a claim like that from Facebook without immediately pointing out the occasions in the past when identical claims about data collection have turned out to be barefaced lies."

I am struggling to recall any unambiguous instances like you suggest, especially anything rising to the level of "barefaced lies". What would be the best examples?

I agree that journalists should give sufficient context about Facebook's history around data and privacy, but I also expect anyone that is subscribing to The Information doesn't need it rehashed for them.

The time they collected phone numbers for express reason of 2FA, and then began using them to lookup and connect contacts?

Do you have any links with contemporaneous public messaging from Facebook about that? I am curious because the OP made a strong claim: that Facebook deliberately and specifically misled the public; and that there have been so many instances of this exposed that any journalist who fails to cite them is negligent.

Gizmodo [0] did the original reporting on what I've mentioned, based on the work of Alan Mislove amongst others.

Facebook's official statement when 2FA numbers started being made available for other purposes was:

> “We outline the information we receive and use for ads in our data policy, and give people control over their ads experience including custom audiences, via their ad preferences,” said a spokesperson by email. “For more information about how to manage your preferences and the type of data we use to show people ads see this post.”

They saw no reason to deny it. Any information handed to Facebook may be used for any purpose, even if it is not apparent to the user that they will exploit data given under one function for another unrelated function.

As a sibling has pointed out with several sources - this isn't new behaviour for Facebook.

[0] https://www.gizmodo.com.au/2018/09/facebook-is-giving-advert...

[1] https://mislove.org/publications/PII-PETS.pdf

But a general collection of potentially unethical or unseemly behavior is not the thing that we are looking for. The claim was that Facebook is known to engage in that behavior while then also lying about it when questioned.

> The claim was that Facebook is known to engage in that behavior while then also lying about it when questioned.

That is not how I read the parent.

Facebook asked for a phone number for 2FA (purpose).

Facebook then supplied that information for ad-targetting (definitely not what the user expects or agreed to).

There was nothing on the page when filling in the phone number that it might then be used for something other than 2FA. Just a general statement in their inhuman ToS that they can repurpose data.

That can very reasonably be construed that Facebook lied to the user - they weren't adequately informed. It certainly wouldn't be informed consent in most contexts.


But! If we are to take the view of whether Facebook has said one thing while actively doing another... Then the Cambridge Analytica scandal had it's own moment of that.

> “Every piece of content that you share on Facebook you own,” he [Zuckerberg] testified. ”You have complete control over who sees it and how you share it.”

> Facebook’s view that the device makers are not outsiders lets the partners go even further, The Times found: They can obtain data about a user’s Facebook friends, even those who have denied Facebook permission to share information with any third parties.

So, Facebook's official position was that you control your data, and who has access to it - but they didn't view device makers as a third party, and thus any device maker could overrule a user's choice and see their data if they wished.

As to the scale of the information a device maker can access...

> After connecting to Facebook, the BlackBerry Hub app was able to retrieve detailed data on 556 of Mr. LaForgia's friends, including relationship status, religious and political leanings and events they planned to attend. Facebook has said that it cut off third parties' access to this type of information in 2015, but that it does not consider BlackBerry a third party in this case.

>not for the purpose of collecting data.

That just sounds like skirting the fact that they likely are collecting data.

Right. "Not our purpose" != "We aren't doing it"

The article focuses on making calls, but moxie (from Signal) had this to say:

"PushKit is the only way to do e2e encrypted messaging in iOS. If they take that away, they're disabling the ability for messaging apps to function with e2e encryption. I don't see how Apple can frame that as "enhancing user privacy and security?" "

https://twitter.com/moxie/status/1158852855291269120 So it's not only about being able to answer calls quickly.

You still have the ability to use an extension that decrypts push notifications on the device when your app is not running.

>A UNNotificationServiceExtension object provides the entry point for a Notification Service app extension, which lets you customize the content of a remote notification before it is delivered to the user. A Notification Service app extension doesn't present any UI of its own. Instead, it is launched on demand when a notification of the appropriate type is delivered to the user’s device. You use this extension to modify the notification’s content or download content related to the extension. For example, you could use the extension to decrypt an encrypted data block or to download images associated with the notification.


One thing that's easy to miss, is that there's a lot of background processing essential for usable E2E that doesn't actually result in a user-visible notification. Much of this involves the local app doing some sort of server interaction in response to a push.

This could include responding to a message retry request, uploading new keys, handling receipts, etc.

I don't understand this commentary by Moxie. Why does removing PushKit functionality removes the ability for apps to do E2EE?

The only thing I can think of, is notifications maybe not being encrypted? But that seems like a bit of stretch to say you can't do E2EE messaging.

After a quick research* , the conclusion I arrive at is that Moxie stretched the truth. Removing PushKit functionality does not removes the ability for apps to do E2EE messaging.

From what I understood: with PushKit, it's possible to send a signal notification to the app. The app then fetches and decrypts new messages and generates appropriate notifications locally.

This is also possible to do with regular (silent) Push Notifications. The key difference seems to be that they are low priority and might not be delivered (thus no notification will be generated), and with PushKit it would.

So AFAIK this seems to be more an UX issue.

* I might be understanding something incorrectly.

Don't take my word for it but I believe that's the approach Telegrarm has.

If the notifications aren't encrypted, then that means it gets decrypted on some server somewhere too :(

That's not necessarily correct, it would depend of the implementation. See my reply.

Apple wants to commoditize privacy. They're running out of things to do. They will frame themselves as the new guard.

+1 to Apple's track record for user privacy.

I do not regret switching from Android to iOS (even if siri is woefully behind the voice assistant game)

According to Moxie (https://twitter.com/moxie/status/1158852855291269120), this isn't a positive for user privacy.

Also autocomplete. I had a samsung phone running android that was almost omniscient in knowing what I wanted to type or keeping track of what I had just been reading or searching for and giving me suggestions based on that (like if I had been reading about a restaurant and then went to send a text to my wife it would give me prompts about the restaurant, which is exactly what I wanted). iOS autocomplete is woefully subpar in comparison.

Just install SwiftKey. The native iOS keyboard is absolutely appalling, I don't wish it upon my worst enemy...

Why is it appalling? Can you be more specific?

That even today many European languages don't even have a basic dictionary. I'm not talking about the "guess the next word" feature. All I want is a dictionary that could suggest a correction to a misspelled word.

Use two languages at once? No way! I guess they need to invent a new chip or something.

Swipe to type? Hehe.

The keyboard in itself is fast and good but it lacks features.

The state of auto-suggest and auto-correct for anything but English (or maybe French, German, not a speaker so I don't know) is appalling. Auto-suggest is either not even an option or if it is it takes you to type almost the full word before suggesting something sensible. The auto-correct is way worse though. It sometimes suggests corrections to a wrongly spelled word even on basics like pronouns and such. But also let's not forget iOS/macOS don't even have all languages of the EU (when speaking of Europe) available as a system language. For the world's largest tech company it's beyond me why can't they put a team of 1-2 people per language to take care of properly localizing their software.

Those teams existed, but were disbanded and those people are now drawing up new emojis.

Typing in two languages works since iOS 11 (IIRC). I’m routinely typing in either English or Italian without ever manually switching language

But only two languages are supported, with no easy way to type in three or change the character set of the keyboard, which one can do with one swipe on SwiftKey Android.

One of the main reasons, in addition to lack of dual-SIM, I realised switching to iOS simply wasn't worth it for me.

Having a private number for my SO, closest friends and select high-retainer-fee clients to reach me 24/7 while also having an easily discoverable public phone number for business hours increased my response time when it matters while simultaneously tuning out the noise and anxiety of being constantly connected.

On iOS you can switch the keyboard with the small “globe” key between the “123” button and the dictation button on the lower left hand side of the keyboard, it’s one key press- assuming you added the keyboard in settings.

That's still too many steps - the trouble with bi/tri-lingual life is you often interject words (places, addresses, proper nouns) in the local language into sentences in any of the other two languages.

Constantly opening and closing settings dialogs gets on your nerves in the long run.

Adding a language to your phone (once) is too much work? Or is a “button” press to swap out the keyboard too much? I don’t understand.

I use English, Swedish accents and Russian with no issue. :s

When I was on android, I could type a message in one language, change who I was talking to, and start typing in another, and the autocomplete would immediately know I had changed language. iOS constantly corrects my first few words before realising. And sometimes the keyboard sets itself to a non-multilingual keyboard.

Does anyone know of a third party keyboard that can support 4 languages? My Android did 3 + Russian just fine but I can't find anything similar for iOS.

> Swipe to type? Hehe

That's finally coming in iOS 13

Wow, Apple is ahead of its competition again.

iOS doesn't even have an Estonian translation after all these years.

I've also switched, after my 1 year old Samsung S8 brick phone dropped to the floor one time too often. I'm not only enjoying the privacy, but also the classic, non-phablet form factor of a brand new iPhone 6s in 2019 and hope it will last me longer. Compared to Samsung's, my typing speed is up, but it's true that autocomplete suggestions are useless.

Have been running my 6s since 2015 - alas, come iOS 13 we’ll likely have to upgrade the hardware or remain with unlatched critical known vulns.

Is it given that 6s won't receive iOS 13? I bought mine because it's the only one still having an audio jack for my car stereo, and the 7 and 8 add nothing for me, except the price. Though maybe it's telling Apple themselves don't sell the 6s anymore.

iOS 13 drops support for iPhones with 1GB of RAM. 5s and 6/6+ are out. The 6S/6S+, the SE, and above are supported.

iOS 13 will be supported on the 6s, just not on the 6/6 Plus (and below).

Use the Google Assistant app for iOS if you need a voice assistant. No hands-free usage (unless you set up a cumbersome Siri shortcut), but it is light-years beyond Siri for practical purposes.

Doesn't that just bring back the privacy issues they switched to iOS over?

What voice assistant features do you miss? I've never used Android so I'm curious.

I can't give you specific examples off the top of my head, but in general use I found the Google Assistant to be much "smarter" and have responses to a wide range of queries

In my experience Google Assistant has better voice recognition and seems to be faster. I've had it recognize things like titles for songs, which are easy to mix up.

Once I had Alexa in my home I stopped asking Siri for anything ever

Siri is probably pissed as fuck. I'd sleep with one eye open if I were you.

This still isn’t reddit.

I use it all the time to set reminders. "Ok Google. At 2 PM next Tuesday remind me to <insert pretty much anything here>".

I use Siri to do the same. Is it an issue of better ASR or NLP that makes the difference for you?

Google assistant is so much better to look up information and understand what you want.

I use Alexa, Siri, and google assistant. And others don't come even close to assistant when it comes to understanding what you mean and the context. Or even understanding what I've said.

You can ask it stuff like "What's the name of the blonde actress from that new tarantino movie" and you will get the result (works on google.com too), then you can ask follow up questions about her.

This also carries over into setting reminders, controlling smart home devices. "Set a timer", "No, you know what, cancel it". It feels like talking to a person. And it sounds more like a person too.

The ONLY reason I use assistant the least of the 3, is the wake word.

Sure, agreed, but GP was saying that (s)he

'use[s] it all the time to set reminders. "Ok Google. At 2 PM next Tuesday remind me to <insert pretty much anything here>".'

I find that Siri is perfectly capable of creating reminders like this (as is Alexa), so wondered about that.

Google Assistant is definitely better about information retrieval (although, yes, the wake phrase is horrible...)

Siri works just fine for setting reminders.

"Siri, remind me to buy milk tomorrow." - "Ok. Calling mom" or some other random action is more typical of siri.

This is a really bad example because I do that one myself a lot and it works perfectly well with siri.

Google assistant is better with more context “give me cycling directions to work, avoid going down Lexington”

Anecdotally that has rarely been the case for me or people I know for simple requests like that. At least in 2019 with devices from the past couple of years

Am I reading this right? If WhatsApp and similar are no longer able to implement End-To-End crypto because they have to use an Apple API which supports only specific protocols, this is going to be a huge loss for users.

I've considered switching to an iOS device, but stuff like this keeps me away, I'm very glad I can keep direct SIP, SSH, IMAP and XMPP connections open at all hours of the day.

Not being able to lurk in the background does not have anything to do with security. I don’t think Signal uses it and they’re generally considered secure. You can check out their source.

The current Apple VoIP APIs don't actually let apps run in the background all the time anyway. What they provide is a way to instantly remotely wake up an app, let it connect to your server in the background, do some local processing, and then create and display a notification. This is exactly what end-to-end encrypted messaging needs, but Apple is killing off the ability to use the VoIP APIs in this way in iOS 13.

Signal uses the exact same PushKit VoIP API that Facebook does, by the way - check PushRegistrationManager.swift in their source. I'm not sure if they use it for text chat as well as voice, but I assume so since there's no references to the newer API they could use in their code and they still support iOS 9 which doesn't have it (as do Facebook Messenger and WhatsApp). Edit: I think it's safe to say that Signal does this, given that Moxie Marlinspike isn't aware of any other way to do it: https://twitter.com/moxie/status/1158852855291269120

(Well, they don't intentionally let apps run all the time in the background. They're quite lax about how long apps can run for in the the background after being woken up in order to support voice calls, but that's not the feature messaging apps need from them.)

This is what is confusing about this article anyway. You used to be able to run your VoIP application in the background all of the time. This has been closed for longer. But WhatsApp and Facebook are really old apps, supporting pretty ancient versions of iOS (last time I checked). They might have inherited the capabilities back from the time it was the only way to have VoIP?

The intended way VoIP application should work is using PushKit and CallKit to show a native call screen after receiving a special VoIP push notification message. Only when the user accepts the actual application will open.

"Background App Refresh" is used for silent push notifications, which should be used to download content when the application is not running. It could be used to download images in messages ahead of time, though could be abused just as well. "Background App Refresh" is not a reliable way to deliver notifications to an application since they're dropped pretty easily.

VoIP apps built against the iOS 9 SDK and earlier can still run in the background all the time, but we know WhatsApp and Facebook Messenger have used iOS SDK 10 or higher since 2016 because they introduced support for CallKik back then which requires that version. Also, the current version of their apps only support iOS 9 and newer and PushKit has been available since 8. As far as I can tell, the media coverage is just misleading in a way that pushes their existing narratives about Facebook and Apple.

Signal docs say it needs Background permission :

"Without this, there may be a delay in sending and receiving messages."


That doesn’t mean encryption won’t work, just that you may not get instant notification of messages.

I wouldn't be so sure about that: https://twitter.com/moxie/status/1158852855291269120

Would be interesting to hear his opinion on this. It's awesome anyway that all of the source is just in the open. I often use it as a sanity check for my own code when I'm dealing with messaging and VoIP.

You can test it yourself, by turning off background permissions. You will still receive messages.

Background processing simply allows it to have the message ready for you by the time you open the app.

Yes, but I did not mention security. I commented on "I don’t think Signal uses it". I should've quoted it.

I read a reply on Twitter explaining why it was used on Signal (and I can't update my own statement anymore). So basically these push notifications are used because they always work and they work for everything.

If you would use the custom notification handler you are required to show a notification, which is fine for a new message but doesn't make sense for read confirmations, "is writing" updates or all other types of information that should not pop up to the user immediately.

Of course you can work around it by using a WebSocket while the app is open and only use push notifications for new messages but obviously that's going to be less tight than the current situation.

It wasn’t clear to me what that sentence meant. My best guess was that maybe WhatsApp needs to do background work to decrypt messages for notifications. Before you’ve unlocked a phone (to allow WhatsApp to access its keys), notifications just show up as “you got an encrypted message” and can’t show what the message is. Perhaps that would happen to all messages after this change.

But then again it seems that apple would want to ensure that there’s still a good way to do end-to-end encryption, so I would guess there would be a workaround.

It wasn't clear why they are using VoIP for WhatsApp. Sounded like it was because it allowed more background processing?

I doubt they would ban end to end crypto, but you are right, it is more of a locked down system.

Edit: keep reading. People explain this nicely below.

Doesn’t he mention explicitly in the video that you can use standard notifications and decrypt the payload before showing them?

How exactly do you deliver notifications in Android? Can background apps simply listen on an open websocket or something?? What exactly is your technique on android

I haven't watched the video, but Apple has a notifications API specifically for encrypted messaging apps to receive encrypted notifications and run a notification appex that decrypts the notification payload prior to showing the notification to the user.

Essence from this site (from my understanding, read the whole article):

WhatsApp is using VoIP iOS features to display end2end encrypted notifications in iOS. This loophole will be closed on iOS13. So either WhatsApp does not display any notifications text on iOS13 with WhatsApp or WhatsApp will remove end2end encryption for the sake of having notifications with text on iOS.

This is really alarming for privacy. Seems Apple does not care about privacy and comfort unless it's software from Apple.

I just hope WhatsApp will stay strong and never give up on end2end encryption.

It's not the case that they would need to give up encrypted notifications. Developers can support end-to-end encrypted notifications by creating a UNNotificationServiceExtension[1]. This is an extension which receives and can mutate the notification before it's shown to the user.

[1]: https://developer.apple.com/documentation/usernotifications/...

Straight from Apple's documentation:

> For example, you could use the extension to decrypt an encrypted data block or to download images associated with the notification.

Thanks for the link. So when FB/WhatsApp will adapt it will work as before. That's great news.

It has nothing to do with end-to-end encryption: they’re abusing the VoIP feature to stay running in the background, which is trading battery life for better surveillance of your activities. Apple is doing it to _protect_ privacy by closing one of the ways unscrupulous app developers keep trackers running.

It has everything to do with end-to-end encryption. Prior to iOS 10, the only way to display notifications for end-to-end encrypted chat without giving Apple a plaintext copy of everything in the notification was to abuse the VoIP feature. More specifically, the "PushKit VoIP API" Facebook's spokesperson mentioned allowed services to push down an opaque blob of data and have their apps immediately wake up in the background, do some processing (such as decryption), maybe get more data from the network, and create a notification. This was intended to support incoming voice calls but worked great for end-to-end encrypted text chat. Now Apple are cracking down on the use of that VoIP background functionality for anything but voice calls.

It might be possible for companies like Facebook to rewrite their code to use an iOS 10+ Notification Service app extension to decrypt the notifications instead, but that requires major code changes and has additional limitations.

Also, from what I can tell Facebook Messenger etc haven't had access to the old APIs which just let VoIP apps run in the background all the time since about 2016. That's not available for apps linked to the iOS 10 API and they've been using the iOS-10-only CallKit since about that time.

> It might be possible for companies like Facebook to rewrite their code to use an iOS 10+ Notification Service app extension to decrypt the notifications instead, but that requires major code changes and has additional limitations.

Perhaps, but iOS 10 is now 3 years old; Facebook has had plenty of time to make those major code changes, as opposed to continuing to use VoIP push notifications for things other than VoIP.

Facebook aren’t obliged to make a change just because they can. Taking something that works and changing it for its own sake is something people very often get annoyed about.

> Taking something that works and changing it for its own sake

That's a somewhat misleading way to characterize this: VoIP apps are still going to be just fine using the VoIP API. The question is whether legacy code should preclude Apple taking steps to act on their users' behalf. Given the number of people I know who uninstalled Messenger so their phone could make it through the workday without a charge, I'm pretty sure most people will shed no tears for someone at Facebook having to do the job they are very well paid to do.

I don’t get what you’re trying to say? The GP says the new api which Facebook should use has been available 3 years, implying that fb ought to have made the change long ago. I say they had no reason to make the change in the last three years [because Apple are dropping support for the old api now and only announced this recently]. And you say that’s wrong (so FB should have made the change 3 years ago) because ... the app will have been fine? Or because Apple behave nobly? I don’t see how it follows.

I’m saying that Facebook was using an API for something other than what it was designed for, and thus I don’t feel much sympathy for them having to change their code when the API contract is more strictly enforced. It’s just a cost of doing business at that point.

> Prior to iOS 10, the only way to display notifications for end-to-end encrypted chat without giving Apple a plaintext copy of everything in the notification was to abuse the VoIP feature.

It’s not the only way, but VoIP is the most reliable way. You can accomplish the same thing with encrypted silent push notifications, that wake up the app and trigger a decrypted local notification. Problem is that silent push notifications aren’t reliable because they don’t always wake up the app (which is throttled by the OS).

> It has everything to do with end-to-end encryption.

Hey, I just noticed that I never responded to you directly: my objection to the comment I replied to wasn’t because it didn’t affect some end-to-end encryption apps but that Apple wasn’t acting against them because they implemented encryption. They’re going against everything using the VoIP API for non-VoIP features and there’s an official replacement API available, so the language casting it as a threat to privacy seemed unfounded.

The use of voip mode is well established technique for building encrypted messaging apps on iOS, and its unsurprising that whatsapp is built around it, especially when you consider that whatsapp is a voip app. No conspiracy theories are necessary.

Are Signal and other messaging apps relying on this feature and do they offer VoIP functionality?

As far as I can tell, that's a yes to both: Signal supports VoIP calls, they're definitely using the PushKit VoIP API, and I assume they're using that API for both text notifications and calls since the code doesn't have any reference to the other API they could use.

It's a shame that in today's world we have to choose between platforms that are open-ended and platforms whose software respects its users. But given that choice, I support this outcome.

It's very hard to provide both as abusive software (malware) tends to take advantage of the open-endedness of platformas to abuse the users.

It’s worse than that even. Open platforms that are popular get commoditised easily, which squeezes margins for vendors, increasing pressure to monetize by any means possible.

The race to the bottom does benefit customers in terms of prices, but there are real costs in terms of the quality and trustworthiness of the products. The cheapest products are most likely to be monetising in shady ways.

For anyone interested in the technical side of the changes getting introduced in iOS 13 regarding messaging apps, the 707 session 'Advances in App Background Execution' of WWDC 2019 is really helpful: https://developer.apple.com/videos/play/wwdc2019/707/

Normally we'd switch to something like that so everyone can read it, but since The Information just unlocked this one for HN, we can stick with the original source this time.

Probably for the best, since the Ars Technica article seems rather confused.

Messenger app initiated a conversation between me and a random friend so we could talk about our 5 year friendship anniversary. Couldn’t fathom who thought that would work.

I've been getting these notifications now for a year at least. It's extremely annoying, and I haven't found any way to toggle it off. Such a colossal misfeature.

I nowadays only use mbasic.facebook.com to check messages every two to four weeks, as FB is still kind of a backup contact platform for many people if everything else fails.

While not exactly the same, I see people in Slack workgroups that will dutifully respond to the Slack bot, which can die in a fire. While it's usually welcome someone to the channel or whatever, it's all annoying as hell. So, yes, I can easily see people dutifully following the app's suggestion.

Hell, people randomly text their phone number neighbor. People are really just sheep.

Facebook engineers know exactly what is going on, and I don't think they actually care.

If you want to see exactly how creepy the whole thing is going to get in the future, you just have to take a look at the transcripts from the Software Engineering Daily podcast where a group of engineers from FB were interviewed recently. The interviewer never once mentioned the word privacy in the entire interview across all the five interviews (with pretty senior FB folks who have been there for quite a while). Or for that matter, there wasn't really a single question across all the five interviews which left me thinking "Well, at least there is someone inside Facebook who disagrees at least minimally with company policies".

You can search for this in the transcripts yourself.






>Facebook engineers know exactly what is going on, and I don't think they actually care.

I know of founders who would need to think carefully about even interviewing someone with Facebook on their resume. And I totally get these concerns given the attitude Facebook has towards the privacy of users.

> think carefully about even interviewing someone with Facebook on their resume

Good, engineers need to be accountable for their complicity.

What a witch hunt. This is akin to persecuting people for their politics.

Well, engineers can have a lot of ethical responsibility. A resume that show you have no scruples doing unethical things is a fine way to gauge if someone is a suitable match.

Not much different then background checks for working in schools or what ever.

If a founder or person in charge of hiring views a candidate as a threat to either the business or their customers then they have every right to pass on that candidate.

>This is akin to persecuting people for their politics.

Whether or not this is a bad thing strictly depends on the politics.

Accountability == Witch Hunt? Where have I heard this before...

Which is something people do. For example, you wouldn't hire someone who takes their politics to just-under-violent extremist levels, as it would be bad PR.


Probably edited, and FB kept editorial rights as part of the agreement to do those.

What are the details? What will change?

We will still have VoIP Push Notifications? We personally rely on them to encrypt the notification payloads and increase privacy so our servers can’t read the plaintext of the notification. Is that now going away?

If you don't want to provide your email address I put the article here https://pastebin.com/kKSNFnm8

That last line though:

> more of a focus on privacy from the operating systems, and the impact that that can have on measurements and also on targeting.

That could have been lifted from an NSA brief. I don't think people realize just how much "targeting" really is indistinguishable from military targeting.

Could just be the editing, but that line read like them admitting, "yeah we're listening all the time, it makes us money".

According to signal devs this is required to do e2ee. I worry apple is starting to use “privacy” as an excuse for any changes. Especially given that they build competing product (iMessage), that’s has all the access rights in the world.

Well this sucks, I'm using this same feature for a privacy app that I'm working on. It's a useful feature to have. Like all tools it can be used for good or bad. Folks will find ways to circumvent restrictions. Apple should enforce with policy, if someone violates. Remove their app. That hurts more. It's like blackhat SEO, Google delists you, it hurts and many people just don't anymore.

> The impact on battery life briefly made it into the headlines back in 2015 when it was discovered that the main Facebook app was using the voice-calling feature to run in the background.

I thought they were just running silent audio?

Good. This sort of thing why I don’t have Facebook on my phone.

The submitted URL was https://www.theinformation.com/articles/facebook-hit-by-appl..., which was hard-paywalled. But The Information has been unlocking many of their articles for HN readers. I asked if they would do that for this one and they said yes, so everyone who clicks on the link above should be able to read it now.

Nice, thank you! And thank you to The Information for sharing quality journalism with the HN community.

No problem!

It seems like a smart win win situation for you. I bet if the WSJ ect. did the same it would drive non trivial growth

This is pretty nice and I was considering subscribing because of them lifting the paywall but it doesn’t seem like they show the subscription cost until after you’ve given them your email address and created a password? I always assume if you have to ask the price, you can’t afford it. It just seems when you click the “subscribe now” button it would tell you the price of the subscription on the next page.

The footer's Payment Policy says:

Monthly – $39

Annually – $399


> I think they're dramatically overvalualing themselves.

They've been in business for over 5 years and are now in the top 6000 sites in the U.S. [1]. For a deliberately-niche publication, they seem to be doing great.

[1] https://www.alexa.com/siteinfo/theinformation.com

> About 3x a Netflix subscription for a single "news" site? I think they're dramatically overvalualing themselves.

The mainstream media in general have been overvalualing themselves for the past decades.

it is still pay-walled for me.

Use the link in the submission

On another note the reader view on iOS (safari on iPadOS 13 public beta) show only first paragraph

What's with the login wall to read the article? Does every random site need my personal information now?

I wish these types of sites were not allowed on Hacker News. I'm not paying for every little news site I read on here (or the big ones). I usually click on the link, realize it's got this crap on it, and bail back out. I don't want to read it and would rather it didn't even show up.

For a while I had updated my CSS setup so that these sites would have a strike through on them and I'd go strait to the comments instead of trying to read the story.

If there's a workaround, it's ok. Users usually post workarounds in the thread. This is in the FAQ at https://news.ycombinator.com/newsfaq.html and there's more explanation here: https://news.ycombinator.com/item?id=10178989 and https://hn.algolia.com/?sort=byDate&dateRange=all&type=comme...

The Information doesn't have a workaround, but they do unlock many articles for HN readers. I asked them to unlock this one and they did, so everyone who clicks on it from HN can read it now.

You can use a service like Temp Mail[0]. It worked for me.

[0]: https://temp-mail.org/

I also just typed in a non-existent gmail address and it worked.

Many sites do that nowadays. The Information seems to be pretty nice, but it's super expensive. At least to me.

Some disposable email sites are blocked on The Information's login wall, even blah@aol.com was rejected (which I found amusing).

But it's easy to think of a random email of letters and numbers, and no further validation is required.

It's a paid site.

It’s a pay site. Logging in gives the, a chance to upsell.

How misleading.

I mean, given the entire verbiage around the sites login wall, it seemed plenty obvious here.

Maybe... I don't pay much attention to sales pitches. Just saw 'Read this article for free" and a login button and assumed as much.

It'll convert well for them at least.

The Information isn't that random (as the name implies).

It's an attempt to create a high-value, investigative tech magazine. The paywall is rather strict and it seems to be aimed at the investor class, so I'm not entirely sure how well it's going because I'm not a subscriber, but I believe I've seen a few important stories that originated with them.

It may be they're a quality site but I've never heard of them before. Not about to hand over personal contact information to an unknown party.

If it were the New York Times or some site I've heard of however, I'd happily login.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact